717494 – [FIX] ipa-replica-install fails to create a valid cert db password

Bug 717494 - [FIX] ipa-replica-install fails to create a valid cert db password

Summary: [FIX] ipa-replica-install fails to create a valid cert db password

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	freeIPA
Classification:	Retired
Component:	ipa-server
Sub Component:
Version:	2.0
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-06-29 01:13 UTC by raal.goff
Modified:	2015-01-04 23:49 UTC (History)
CC List:	3 users (show)
Fixed In Version:	freeipa-2.1.3-5.fc16
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-03-28 09:28:05 UTC
Embargoed:

Attachments	(Terms of Use)
Patch for fix (477 bytes, application/octet-stream) 2011-06-29 01:13 UTC, raal.goff	no flags	Details
View All

Description raal.goff 2011-06-29 01:13:01 UTC

Created attachment 510376 [details]
Patch for fix

Description of problem:

When running ipa-replica-install, it will fail at the following step:

Configuring the web interface: Estimated time 1 minute
  [1/11]: disabling mod_ssl in httpd
  [2/11]: setting mod_nss port to 443
  [3/11]: setting mod_nss password file
  [4/11]: adding URL rewriting rules
  [5/11]: configuring httpd
  [6/11]: setting up ssl
  [7/11]: publish CA cert
  [8/11]: creating a keytab for httpd
  [9/11]: configuring SELinux for httpd
  [10/11]: restarting httpd
creation of replica failed: Command '/sbin/service httpd restart ' returned non-zero exit status 1

Looking in /var/log/httpd/error_log shows:

[Tue Jun 28 14:50:35 2011] [error] Certificate not found: 'Server-Cert' 

This seems to be because the password file (/etc/httpd/conf/password.conf) for the certificate db is empty.

Version-Release number of selected component (if applicable):

2.0

How reproducible:

Every time (for my install at least)

Steps to Reproduce:
1. ipa-replica-prepare ipareplica.example.com
2. scp /var/lib/ipa/replica-info-ipareplica.example.com.gpg root@ipareplica:/var/lib/ipa/
3. ipa-replica-install /var/lib/ipa/replica-info-ipareplica.example.com.gpg
  
Actual results:

Replica creation fails

Expected results:

Replica creation should succeed

Additional info:

It can be fixed by changing line 300 of ipaserver/install/certs.py from:

        if passwd is not None:

to:

        if passwd is not None and passwd is not "":

This will force create_passwd_file to generate a password if its blank. The source of the problem could also be create_from_cacert(), since its definition makes the passwd default to '' instead of None like all others.

The attached patch file should apply the fix.

Comment 1 Rob Crittenden 2011-06-29 20:37:10 UTC

https://fedorahosted.org/freeipa/ticket/1407

Comment 2 Rob Crittenden 2011-06-29 20:38:19 UTC

I have a feeling something else is going on, this is the first report like this.

Comment 3 Rob Crittenden 2011-07-18 17:28:14 UTC

I couldn't reproduce the reported problem but the replica HTTP database was being generated with a blank password. Having an empty password isn't necessarily all that horrible but we don't want to do it by default so I instead made it so we never call with passwd='' by default, instead use passwd=None.

master: d43ba5316a08249fa276cdc43338d85f784547f0

ipa-2-0: 5fab4570ad50ff400c2f95a72c9a6668545a2b8f

Note You need to log in before you can comment on or make changes to this bug.